security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,276 Commits 1 Branch 0 Tags
ac01718bb6dbd3f95463e809f94ce47005544508
Commit Graph

21 Commits

Author SHA1 Message Date
Jonhnathan ac01718bb6 [Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag (#2352) 
* [Rule Tuning] Add tags to flag Sysmon-only rules

* Modify tags

* Revert "Modify tags"

This reverts commit 3d9267d171a41f727bb499501d71d5c4db4f0434.

* Modify tags

* Update test_all_rules.py

* Update test_all_rules.py

* Update test_all_rules.py

* Update test_all_rules.py

* Update test_all_rules.py
 2022-11-18 12:32:27 -03:00
Jonhnathan ec04a39413 [Security Content] Tag rules with robust Investigation Guides (#2297) 2022-09-23 14:20:32 -03:00
Justin Ibarra 46d5e37b76 min_stack all rules to 8.3 (#2259) 
* min_stack all rules to 8.3

* bump date

Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>
 2022-08-24 10:38:49 -06:00
Samirbous b15f0de9a4 [Rules Tuning] Diverse Windows Rules - FPs reduction (#2213) 
* [Rules Tuning] 7 diverse Windows rules

Excluding FP patterns while avoiding breaking compat with winlogbeat and 4688 events lack of codesign metadata.

* Update initial_access_suspicious_ms_exchange_process.toml

* Update privilege_escalation_persistence_phantom_dll.toml

* Update execution_psexec_lateral_movement_command.toml

* Update persistence_remote_password_reset.toml

* Update non-ecs-schema.json

* Update persistence_remote_password_reset.toml

* Update non-ecs-schema.json

* Update discovery_privileged_localgroup_membership.toml
 2022-08-02 18:37:07 +02:00
Jonhnathan 3a8efc8183 [Security Content] 8.4 - Add Investigation Guides (#2069) 
* [Security Content] 8.4 - Add Investigation Guides

* Apply suggestions from code review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

* Update rules/windows/credential_access_cmdline_dump_tool.toml

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

* Apply suggestions from code review

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Update rules/windows/credential_access_credential_dumping_msbuild.toml

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
 2022-07-13 11:28:34 -03:00
Justin Ibarra 3fc34b86f2 Update License to Elastic v2 (#944) 2021-03-03 22:12:11 -09:00
Justin Ibarra 645a0cd67b [Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules (#945) 
* [Rule Tuning] Add timestamp_override field to rules
* add tests for lookback and timestamp_override
* fix dates and add test to ensure updated > creation
 2021-02-17 19:49:58 -09:00
Justin Ibarra a0e86e20d6 [Rule Tuning] Add windows integration index to rules (#923) 2021-01-28 20:53:57 -09:00
Justin Ibarra c1a0438f45 [Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706) 
* replaced/removed all revoked/deprecated techniques
* tests will fail on revoked (changed) techniques
* tests will fail on deprecated techniques
* tests will fail when techniques are mapped to an invalid tactic
 2020-12-18 12:46:16 -09:00
Justin Ibarra 97ee8cc9ac Refresh beats and ecs schemas and default to use latest to validate (#570) 
* Refresh beats and ecs schemas and default to use latest to validate
* remove incorrect ecs_version from zoom rule
* remove stale ecs_version from rules
 2020-12-01 13:24:20 -09:00
Justin Ibarra f87f2a46f4 [Rule Tuning] Remove all rule timelines (#466) 2020-11-03 09:51:53 -09:00
Justin Ibarra da64bacac1 [Rule Tuning] Add timeline_title to rules with timeline IDs defined (#452) 2020-11-02 14:12:20 -09:00
Justin Ibarra 0d3c35886c Remove connection type from endpoint network rules (#426) 2020-10-28 12:35:34 -08:00
Derek Ditch 580db2c13e Add timeline_id to detection rules (#95) 
* Adds timeline_id to all network rules
- Uses the ID for the 'Generic Network Timeline' from Elastic
* Adds timeline_id to all endpoint rules
- Uses the ID for the 'Generic Endpoint Timeline' from Elastic
* Adds timeline_id to all process-oriented rules
    - Uses the ID for the 'Generic Process Timeline' from Elastic
* Ran tests and toml-lint
* Bumped 'updated_date'
 2020-10-27 13:34:16 -05:00
seth-goodwin 2065af89b1 [Rule Tuning] Tag Categorization Updates (#380) 
* Add new categorization tags

* Change updated_date to 2020/10/26

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>, @bm11100
 2020-10-26 13:50:45 -05:00
brokensound77 aec3ec31b9 Merge branch '7.9' into main 2020-08-27 15:54:44 -08:00
Justin Ibarra 79a0dfefbe Add ECS 1.6.0 schema for validation testing (#220) 
* Add ecs 1.6.0 and refresh master ecs (2.0.0)
* update rule metadata to use ecs_version 1.6.0
 2020-08-27 11:54:49 -05:00
Justin Ibarra be08536880 Increase lookback for endpoint rules (#200) 2020-08-21 12:23:43 -05:00
Brent Murphy 7efe33e01d [Rule Tuning] Update Index Pattern for Detection Engine Rules (#101) 
* [Rule Tuning] Update Index Pattern for Detection Engine Rules

* update indices
 2020-08-03 15:46:57 -04:00
Justin Ibarra 95908c22a4 Improve ECS compatibility for endpoint rules 2020-07-07 15:41:23 -06:00
Ross Wolf 5fcece8416 Populate rules/ directory. 
Co-Authored-By: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-Authored-By: Craig Chamberlain <randomuserid@users.noreply.github.com>
Co-Authored-By: David French <56409778+threat-punter@users.noreply.github.com>
Co-Authored-By: Derek Ditch <dcode@users.noreply.github.com>
Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-06-29 22:57:03 -06:00